Analecta Cyber Company Blog: Android Malware Exaspy found Targeting Executives

2016-11-09

Android Malware Exaspy found Targeting Executives

Android Malware Exaspy found Targeting Executives
Researchers at Skycure Research Labs have identified a malicious Android application on a senior executive's mobile phone. The malware is disguised as a legitimate application and may be difficult to distinguish from other applications in the Android application store. Once installed the malware hides itself on the device by renaming itself "Google Services." Read on for capabilities, signatures and other artifacts.

Affected Data & Services

The Exaspy malware is offered as a low-cost turn-key spyware offering and has extensive capabilities to spy on nearly all the features of an Android device. Features of the malware include the ability for a remote attacker to access:

- Facebook Messenger conversations
- Google Hangouts conversations
- Texts, SMS and MMS messages
- Email contents
- Skype conversations
- Viber and WhatsApp conversations
- Photos and videos on the device
- History of your browser activity
- Telephone history
- Take screenshots on the device

More troubling still, the malware is able to turn on the microphone and record all audio - both from telephone conversations as well as background (or ambient) audio.

Identifying the malware

Current versions of the malware can be identified in a few different ways.

Network Artifacts

You may be able to identify the malicious software through network analysis, specifically identifying DNS requests for the following domains:
- api.andr0idservices.com
- andr0idservices.com
- exaspy.com

Currently the downloaded updates are named "a.apk" and are downloaded over unencrypted HTTP (the hard-coded URL hxxp://www.exaspy.com/a.apk was active at the time of this writing).

Filesystem Artifacts

The following SHA1 values reflect known files associated with Exaspy:
c4826138e07636af1eeb6008e580704575ec1bc7
4bf89c3bf4fb88ad6456fe5642868272e4e2f364
9725c1bf9483ff41f226f22bd331387c187e9179
c4826138e07636af1eeb6008e580704575ec1bc7
f1fbebc2beafe0467ee00e69b3f75719cdbbd693

Android OS Specific Artifacts

The application is named “Google Services”.
The package name is “com.android.protect”.

Certificate Related Artifacts

Subject: /O=Exaspy/OU=Exaspy/CN=Exaspy
Fingerprint: c5c82ecf20af94e0f2a19078b790d8434ccedb59